umami-mcp-server
Provides an MCP server that exposes Umami Analytics data (websites, stats, pageviews, metrics, and active visitors) as MCP tools for MCP clients like Claude Desktop, VS Code/Copilot, Cursor, and others. Supports local stdio transport or an HTTP Streamable endpoint (/mcp) with session handling.
Score Breakdown
⚙ Agent Friendliness
🔒 Security
Strengths: HTTPS is used for the hosted MCP URL in documentation, and HTTP-mode credentials are intended to be sent in headers on initialize. Weaknesses: query-parameter credential fallback is explicitly used for Claude Desktop (deprecated), which can leak secrets via logs/history/referrers. No evidence of fine-grained scopes, token-based auth, or secret redaction practices is provided in the README. Rate limiting and detailed security headers/CORS defaults are not described beyond ALLOWED_ORIGINS default '*'.
⚡ Reliability
Best When
You want to query Umami Analytics from an MCP-capable assistant tool, either locally (stdio) or via an HTTP deployment for remote clients.
Avoid When
You cannot securely manage UMAMI credentials (env vars/headers/query-string fallback) or require strict, documented API-level throttling and error contract details.
Use Cases
- • Generate analytics reports for a website over a date range
- • Answer traffic questions (top pages, visit patterns)
- • Break down user metrics by country/city, browser, device
- • Monitor active visitors and near-real-time traffic
- • Inspect page traffic over time and investigate traffic drops
Not For
- • Enterprise-grade compliance/security auditing without additional hardening and verification
- • Use cases requiring OAuth/OIDC identity federation
- • Environments needing documented rate-limit guarantees or pagination semantics
Interface
Authentication
Authentication is based on Umami host/username/password provided to the MCP server. For the hosted HTTP usage, the README indicates credentials are passed via headers on initialize; for Claude Desktop, it falls back to query parameters, which is weaker from a logging/URL-leak perspective.
Pricing
No pricing details are provided; availability of a hosted instance is mentioned.
Agent Metadata
Known Gotchas
- ⚠ Claude Desktop may force credentials into query parameters because custom headers are not supported (deprecated approach noted).
- ⚠ Remote HTTP usage requires MCP initialize credentials; mismatched/invalid Umami credentials will prevent tool availability.
- ⚠ If the binary path is not absolute or the transport mode/env vars are misconfigured, tools may not show up.
Alternatives
Full Evaluation Report
Comprehensive deep-dive: security analysis, reliability audit, agent experience review, cost modeling, competitive positioning, and improvement roadmap for umami-mcp-server.
AI-powered analysis · PDF + markdown · Delivered within 30 minutes
Package Brief
Quick verdict, integration guide, cost projections, gotchas with workarounds, and alternatives comparison.
Delivered within 10 minutes
Score Monitoring
Get alerted when this package's AF, security, or reliability scores change significantly. Stay ahead of regressions.
Continuous monitoring
Scores are editorial opinions as of 2026-03-30.